Relevant BUGIDs: 424315

Purpose of commit: cleanup, new feature

Commit summary:
---------------
I'm adding a new module (pam_debug) that helped me to verify that
the new setcred handling did not suffer from a bug in the handling
of 'auth optional'. I'm also fixing a D(()) line from
libpam/pam_dispatch.c which was simply broken.

[There is still an outstanding backward compatibility issue with
 pam_dispatch that I'll address with respect to Bug 468724.]

5 files changed, 210 insertions, 2 deletions

diff --git a/CHANGELOG b/CHANGELOG
index ae2fa0bc..d4d29524 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -49,6 +49,10 @@ bug report - outstanding bugs are listed here:
 0.76: please submit patches for this section with actual code/doc
       patches!
 
+* verified that the setcred stack didn't suffer from the bug I was
+  nervous about, add a new module pam_debug to help me test this.
+  fixed a libpam/pam_dispatch.c instrumentation line that I tripped
+  over when testing. (Bug 424315 - agmorgan)
 * some BSD updates and fixes from Mark Murray - including a slightly
   more robust conversation function and some minimization of gcc
   warnings. (Bug 449203 - agmorgan)
diff --git a/libpam/pam_dispatch.c b/libpam/pam_dispatch.c
index 6212ac87..2a6befd4 100644
--- a/libpam/pam_dispatch.c
+++ b/libpam/pam_dispatch.c
@@ -126,8 +126,7 @@ static int _pam_dispatch_aux(pam_handle_t *pamh, int flags, struct handler *h,
 	    action = h->actions[cached_retval];
 	}
 
-	D((stderr,
-	   "use_cached_chain=%d action=%d cached_retval=%d retval=%d\n",
+	D(("use_cached_chain=%d action=%d cached_retval=%d retval=%d",
 	   use_cached_chain, action, cached_retval, retval));
 
 	/* decide what to do */
diff --git a/modules/pam_debug/Makefile b/modules/pam_debug/Makefile
new file mode 100644
index 00000000..ae22cade
--- /dev/null
+++ b/modules/pam_debug/Makefile
@@ -0,0 +1,15 @@
+#
+# $Id$
+#
+# This Makefile controls a build process of $(TITLE) module for
+# Linux-PAM. You should not modify this Makefile (unless you know
+# what you are doing!).
+#
+# Created by Andrew Morgan <morgan@linux.kernel.org> 2000/08/27
+#
+
+include ../../Make.Rules
+
+TITLE=pam_debug
+
+include ../Simple.Rules
diff --git a/modules/pam_debug/README b/modules/pam_debug/README
new file mode 100644
index 00000000..b537e3a7
--- /dev/null
+++ b/modules/pam_debug/README
@@ -0,0 +1,15 @@
+# $Id$
+#
+
+This module returns what its module arguments tell it to return. It
+can be used for debugging libpam and/or an application.
+
+Here are some example ways to use it:
+
+auth	requisite	pam_permit.so
+auth    [success=2 default=ok]  pam_debug.so auth=perm_denied cred=success
+auth    [default=reset]         pam_debug.so auth=success cred=perm_denied
+auth    [success=done default=die] pam_debug.so
+auth    optional        pam_debug.so auth=perm_denied cred=perm_denied
+auth    sufficient      pam_debug.so auth=success cred=success
+
diff --git a/modules/pam_debug/pam_debug.c b/modules/pam_debug/pam_debug.c
new file mode 100644
index 00000000..152b977c
--- /dev/null
+++ b/modules/pam_debug/pam_debug.c
@@ -0,0 +1,175 @@
+/* pam_permit module */
+
+/*
+ * $Id$
+ *
+ * Written by Andrew Morgan <morgan@kernel.org> 2001/02/04
+ *
+ */
+
+#define DEFAULT_USER "nobody"
+
+#include <stdio.h>
+
+/*
+ * This module is intended as a debugging aide for determining how
+ * the PAM stack is operating.
+ *
+ * here, we make definitions for the externally accessible functions
+ * in this file (these definitions are required for static modules
+ * but strongly encouraged generally) they are used to instruct the
+ * modules include file to define their prototypes.
+ */
+
+#define PAM_SM_AUTH
+#define PAM_SM_ACCOUNT
+#define PAM_SM_SESSION
+#define PAM_SM_PASSWORD
+
+#include <security/pam_modules.h>
+#include <security/_pam_macros.h>
+
+#define _PAM_ACTION_UNDEF (-10)
+#include "../../libpam/pam_tokens.h"
+
+/* --- authentication management functions --- */
+
+static int state(pam_handle_t *pamh, const char *text)
+{
+    int retval;
+    struct pam_conv *conv;
+    struct pam_message msg[1], *mesg[1];
+    struct pam_response *response;
+
+    retval = pam_get_item(pamh, PAM_CONV, (const void **)&conv);
+    if ((retval != PAM_SUCCESS) || (conv == NULL)) {
+	D(("failed to obtain conversation function"));
+	return PAM_ABORT;
+    }
+
+    msg[0].msg_style = PAM_TEXT_INFO;
+    msg[0].msg = text;
+    mesg[0] = &msg[0];
+
+    retval = conv->conv(1, (const struct pam_message **) mesg,
+			&response, conv->appdata_ptr);
+    if (retval != PAM_SUCCESS) {
+	D(("conversation failed"));
+    }
+
+    return retval;
+}
+
+static int parse_args(int retval, const char *event,
+		      pam_handle_t *pamh, int argc, const char **argv)
+{
+    int i;
+
+    for (i=0; i<argc; ++i) {
+	int length = strlen(event);
+	if (!strncmp(event, argv[i], length) && (argv[i][length] == '=')) {
+	    int j;
+	    const char *return_string = argv[i] + (length+1);
+
+	    for (j=0; j<_PAM_RETURN_VALUES; ++j) {
+		if (!strcmp(return_string, _pam_token_returns[j])) {
+		    retval = j;
+		    state(pamh, argv[i]);
+		    break;
+		}
+	    }
+	    break;
+	}
+    }
+
+    return retval;
+}
+
+PAM_EXTERN
+int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc,
+			const char **argv)
+{
+    int retval;
+    const char *user=NULL;
+
+    /*
+     * authentication requires we know who the user wants to be
+     */
+    retval = pam_get_user(pamh, &user, NULL);
+    if (retval != PAM_SUCCESS) {
+	D(("get user returned error: %s", pam_strerror(pamh,retval)));
+	return retval;
+    }
+    if (user == NULL || *user == '\0') {
+	D(("username not known"));
+	pam_set_item(pamh, PAM_USER, (const void *) DEFAULT_USER);
+    }
+    user = NULL;                                            /* clean up */
+
+    retval = parse_args(PAM_SUCCESS, "auth", pamh, argc, argv);
+
+    return retval;
+}
+
+PAM_EXTERN
+int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, 
+		   const char **argv)
+{
+    return parse_args(PAM_SUCCESS, "cred", pamh, argc, argv);
+}
+
+/* --- account management functions --- */
+
+PAM_EXTERN
+int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc,
+		     const char **argv)
+{
+    return parse_args(PAM_SUCCESS, "acct", pamh, argc, argv);
+}
+
+/* --- password management --- */
+
+PAM_EXTERN
+int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc,
+		     const char **argv)
+{
+    if (flags & PAM_PRELIM_CHECK) {
+	return parse_args(PAM_SUCCESS, "prechauthtok", pamh, argc, argv);
+    } else {
+	return parse_args(PAM_SUCCESS, "chauthtok", pamh, argc, argv);
+    }
+}
+
+/* --- session management --- */
+
+PAM_EXTERN
+int pam_sm_open_session(pam_handle_t *pamh,int flags,int argc,
+			const char **argv)
+{
+    return parse_args(PAM_SUCCESS, "open_session", pamh, argc, argv);
+}
+
+PAM_EXTERN
+int pam_sm_close_session(pam_handle_t *pamh,int flags,int argc
+			 ,const char **argv)
+{
+    return parse_args(PAM_SUCCESS, "close_session", pamh, argc, argv);
+}
+
+/* end of module definition */
+
+#ifdef PAM_STATIC
+
+/* static module data */
+
+struct pam_module _pam_permit_modstruct = {
+    "pam_debug",
+    pam_sm_authenticate,
+    pam_sm_setcred,
+    pam_sm_acct_mgmt,
+    pam_sm_open_session,
+    pam_sm_close_session,
+    pam_sm_chauthtok
+};
+
+#endif